5625 matches found
JVN#95981715: Starlette vulnerable to directory traversal
Starlette provided by Encode contains a directory traversal vulnerability CWE-22. Impact Under certain conditions, a remote attacker may view files in a web service which was built using the product. Solution Update the software Update the software according to the information provided by the...
JVN#75742861: Improper restriction of XML external entity references (XXE) in National land numerical information data conversion tool
National land numerical information data conversion tool provided by MLIT improperly restricts XML external entity references XXE CWE-611. Impact By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. Solution Stop using the product The developer...
JVN#78253670: web2py development tool vulnerable to open redirect
The admin development tool included in the web2py source code contains an open redirect vulnerability CWE-601. According to the developer, they do not recommend using the tool in operational environment or disclosing it on the Internet. Impact When using the tool, a web2py user may be redirected ...
JVN#00845253: Growi vulnerable to improper access control
GROWI provided by WESEEK, Inc. contains an improper access control vulnerability CWE-284. Impact A user who can login to the affected product may download the markdown data from the pages set to private by the other users. Solution Update the software Update the software to the following versions...
JVN#15241647: WordPress plugin "WP Statistics" vulnerable to cross-site scripting
WordPress plugin "WP Statistics" provided by VeronaLabs contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the web site using the product. Solution Update the plugin Update the plugin according to th...
JVN#10168753: SNKRDUNK Market Place App for iOS vulnerable to improper server certificate verification
SNKRDUNK Market Place App for iOS provided SODA, Inc. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on and/or alter the communication. Solution Update the application Update the application to the latest...
JVN#65660590: boastMachine vulnerable to cross-site scripting
boastMachine provided by knadh contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Stop using "boastMachine" The developer states that the product is no longer supported, therefore stop using the product. Products...
JVN#63474730: CubeCart vulnerable to directory traversal
CubeCart from CubeCart Limited is an open source system for creating online shopping websites. CubeCart contains a directory traversal vulnerability CWE-22. Impact A local file outside of CubeCart may be accessed by an administrator of CubeCart. Solution Update the Software Update to the latest...
JVN#42070907: Multiple SONY Videoconference Systems do not properly perform authentication
Multiple SONY Videoconference Systems have a default user account which does not require authentication to login to a device CWE-306. This user account has a privilege to view some of the system configuration files. As a result, the device may be manipulated by an attacker with administrative...
JVN#20252219: kintone mobile for Android fails to verify SSL server certificates
kintone mobile for Android provided by Cybozu, Inc. fails to verify SSL server certificates in WebView. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provid...
JVN#75396659: DERAEMON-CMS vulnerable to cross-site scripting
DERAEMON-CMS provided by TEAM DERAEMONS is a content management system CMS. install.php in DERAEMON-CMS contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing of the parameters hostname, database and username. Impact An arbitrary script may be executed on the user's web...
JVN#89211736: Cybozu Garoon vulnerable to authentication bypass
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an authentication bypass vulnerability. Impact A remote attacker may bypass login authentication. Solution Update the Software Update to the latest version according to the information provided by the developer. Products...
JVN#09836883: Geeklog IVYWE edition contains a cross-site scripting vulnerability
Geeklog is an open source content management system CMS. Geeklog IVYWE edition contains a cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the Patch Apply the appropriate patch according to the information provided by...
JVN#42930233: QNAP QTS vulnerable to cross-site scripting
QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Firmware Update to the latest version of firmware according to the information provided by the...
JVN#47363774: WordPress plugin "Welcart e-Commerce" vulnerable to PHP object injection
WordPress plugin "Welcart e-Commerce" contains a PHP object injection vulnerability due to a flaw where untrusted POST values are unserialized. Impact A remote attacker may execute arbitrary PHP code. Solution Update the Software Update to the latest version according to the information provided ...
JVN#32218514: Cybozu Garoon vulnerable to open redirect
Cybozu Garoon is a groupware. Cybozu Garoon contains an open redirect vulnerability. Impact When accessing a specially crafted URL, a user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the latest...
JVN#87859762: H2O use-after-free vulnerability
H2O is an open source web server software. H2O contains a use-after-free vulnerability. Impact An attacker may cause a denial-of-service DoS condition by sending a specially crafted packet. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#73166466: a-blog cms vulnerable to cross-site scripting
a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a cross-site scripting vulnerability in the standard template of the comment functionality. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the Patch Apply the patch...
JVN#73776243: EC-CUBE vulnerable to cross-site request forgery
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site request forgery vulnerability CWE-352. Impact If an administrator views a malicious page while logged in, unintended operations may be performed. Solution Apply the update or the...
JVN#46044093: LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)
LINE for Windows and LINE for Mac OS contain a denial-of-service DoS vulnerability due to an issue in displaying the Timeline. Impact By displaying a specially crafted post in Timeline, the product may be abnormally terminated. Solution Update the software Update to the latest version according t...
JVN#09268287: Multiple Buffalo network devices vulnerable to cross-site request forgery
Multiple network devices provided by BUFFALO INC. contain a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be conducted. Solution Update the firmware Update the firmware according to the information provided by...
JVN#20649799: Void vulnerable to cross-site scripting
Void is an open source content management system CMS. Void contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Apply an update Update to the latest version according to the information provided by the developer...
JVN#25576608: Avast vulnerable to directory traversal
Avast contains an issue in processing archive files, which may result in a directory traversal CWE-22 vulnerability. When an archive file such as zip is detected as containing a virus and the included virus file is being moved or deleted, the operation is done to the file path inside the archive...
JVN#27548431: gollum vulnerable to file exposure
gollum is a wiki system that uses git repositories. gollum contains a vulnerability which may allow an attacker to view arbitrary files on the server. Impact A remote attacker may view arbitrary files on the server. Solution Update the Software Update to the latest version according to the...
JVN#19011483: Thetis vulnerable to SQL injection
Thetis provided by Sysphonic Co., Ltd. is an open source groupware and SNS. Thetis contains a SQL injection CWE-89 vulnerability. Impact An attacker may obtain or alter information stored in the database. Solution Apply an Update Apply the update according to the information provided by the...
JVN#64459670: mt-phpincgi vulnerable to PHP object injection
mt-phpincgi is script that runs Movable Type templates as PHP. mt-phpincgi contains a PHP object Injection vulnerability. According to the reporter, attacks that attempt to exploit this vulnerability have been confirmed. Impact Arbitrary PHP code may be executed on the server by an unauthenticate...
JVN#91016415: Maroyaka Relay Novel vulnerable to cross-site scripting
Maroyaka Relay Novel provided by Maroyaka CGI is a CGI script for posting text into a website. Maroyaka Relay Novel contains a persistent cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest...
JVN#98097877: "Omake BBS" of i-HTTPD vulnerable to cross-site scripting
i-HTTPD is a web server for Windows. i-HTTPD contains "Omake BBS". "Omake BBS" contains a flaw in processing input character string, which may result in a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use...
JVN#36205251: 365 Links series vulnerable to cross-site scripting
365 Links series provided by php365.com are link directory management tools. 365 Links series contain a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information...
JVN#49672671: WisePoint vulnerable to session fixation
WisePoint provided by Falcon System Consulting, Inc. contains a session fixation vulnerability. Impact An attacker may impersonate a registered user. As a result, information may be disclosed or altered. Solution Update the Software Update to the latest version according to the information provid...
JVN#32726697: GOM Player vulnerable to denial-of-service (DoS)
GOM Player provided by Gretech contains a denial-of-service DoS vulnerability due to an issue in processing an image file. Impact When processing a specially crafted image file, the player may not be launched. Solution Update the Software Update to the latest version according to the information...
JVN#78136804: CN8000 vulnerable to denial-of-service (DoS)
CN8000 provided by ATEN is a remote access unit used to connect a keyboard, mouse and monitor to two or more computers in a remote location. CN8000 contains a denial-of-service DoS vulnerability. Impact A remote attacker may be able to cause a denial-of-service DoS. Solution Update the Firmware...
JVN#68340046: intra-mart vulnerable to open redirect
intra-mart is a software framework for creating web applications. intra-mart contains an open redirect vulnerability. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Apply t...
JVN#47386847: SD Card Manager vulnerable to directory traversal
SD Card Manager provided by apps4u@android contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has...
JVN#71045461: Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains an issue in the process of downloading files, which may result in SQL injection. Impact A user who can log in to the system may obtain or alter information on the system. Solution For Cybozu Garoon 3.7: Apply the Patch...
JVN#48810179: Denny's App for Android. contains an issue where it fails to verify SSL server certificates
Denny's App for Android. contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#24730765: Blackboard Vista/CE vulnerable to cross-site scripting
Blackboard Vista/CE is a learning management system LMS. Blackboard Vista/CE contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the...
JVN#85716574: NeoFiler vulnerable to directory traversal
NeoFiler provided by SkyArts.com contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to...
JVN#97810280: KDrive Personal for Windows contains an issue where it fails to verify SSL server certificates
KDrive Personal for Windows contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by th...
JVN#68773685: AQUOS PhotoPlayer HN-PP150 vulnerable to denial-of-service (DoS)
AQUOS PhotoPlayer HN-PP150 contains an issue in the processing of packets, which may lead to a denial-of-service DoS. Impact Network functions may be disabled by a remote attacker. Solution Update the Firmware Update to the latest version of firmware according to the information provided by the...
JVN#61972596: Online Service Gate vulnerable in Office 365 password management
Online Service Gate provided by SoftBank Technology is a solution to manage the use of Office 365 which allows a system administrator to manage Office 365 users' passwords. Office 365 users' passwords are intended to be managed by a system administrator and cannot be obtained by users. OWA Helper...
JVN#01313594: jigbrowser+ for Android vulnerable to address bar spoofing
jigbrowser+ for Android contains an issue when opening a new window, which may result in the address bar being spoofed. Impact This vulnerability could be leveraged to forge the contents of the address bar for conducting phishing attacks. Solution Update the software Update to the latest version...
JVN#65034198: Sleipnir for Windows vulnerable to address bar spoofing
Sleipnir for Windows contains an issue in displaying colors and the padlock icon on the address bar, which may result in the address bar being spoofed. Impact A user may misinterpret that the website is using the SSL for communications even when the site is not using SSL. Solution Update the...
JVN#01167429: OpenWnn for Android vulnerable to information disclosure
OpenWnn provided by OMRON SOFTWARE Co., Ltd. is a Japanese Input Method Editor IME. OpenWnn for Android contains an issue in the access permissions for certain files. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product may...
JVN#86040029: Weathernews Touch for Android stores location information in the system log file
Weathernews Touch provided by Weathernews Inc. is a weather forecast application. Weathernews Touch for Android contains a vulnerability that stores location information in the system log file. Impact Android applications with permissions to read system log files may obtain location information...
Welcart vulnerable to cross-site request forgery
Overview Welcart contains a cross-site request forgery vulnerability. Welcart provided by Collne Inc. is a WordPress plugin for creating shopping websites. Welcart contains a cross-site request forgery vulnerability. Yoshinori Matsumoto of Kobe Digital Lab., Inc. reported this vulnerability to IP...
JVN#55398821: Pebble vulnerable to open redirect
Pebble is an open source weblog system. Pebble contains an open redirect vulnerability. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the software Update to the...
cforms II vulnerable to cross-site scripting
Overview cforms II contains a cross-site scripting vulnerability. cforms II provided by delicious days is a plugin for WordPress. cforms II contains a cross-site scripting vulnerability. Kousuke Ebihara and Yuya Watanabe of Tejimaya.inc reported this vulnerability to IPA. JPCERT/CC coordinated wi...
JVN#98649286: CSWorks LiveData Service vulnerable to denial-of-service (DoS)
LiveData Service, a server component of CSWorks, contains an issue when processing TCP packets, which may lead to a denial-of-service DoS. Impact A remote attacker may be able to cause a denial-of-service DoS. Solution Update the software Update to the latest version according to the information...
JVN#08307791: Plume vulnerable to cross-site scripting
Plume is a Content Management System CMS. Plume contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the web browser of a user that is logged in as administrator. Solution Update the Software Update to the latest version according to the information provide...